Chinese Hackers Hit Community Health System

Hackers who broke into network hospital group Community Health Systems stole non-medical customer data including credit cards, says new report.

10 Health Apps That Might Make You Sick

(Click image for larger view and slideshow.)

Hackers might have stolen the personal data of approximately 4.5 million people, hospital group Community Health Systems disclosed Monday.

Cyberthieves accessed the general acute-care hospitals operator's network in April or June, said Community Health Systems (CHS) in an SEC report. Data included patient names, addresses, Social Security numbers, birth dates, and telephone numbers, but did not include patient credit or health information, CHS said. The records came from people who were referred to or received treatment from the organization over the past five years, it said.

CHS affiliates "own, operate, or lease 206 hospitals in 29 states, with approximately 31,100 licensed beds," according to its website. In its most recent financials, released on July 31, the organization reported net operating revenue for the three months that ended June 30 of $4.779 billion, a 49.8% increase over net operating revenue of $3.191 billion for the same period in 2013.

Forensic expert Mandiant (acquired by FireEye in January) and CHS believe the network hacker was an advanced persistent threat group from China that used "highly sophisticated malware and technology" to attack the network. Hackers bypassed CHS's security infrastructure, then used their illegal access to copy and transfer patients' data, the report said.

CHS did not respond to InformationWeek's request for an interview by press time.

After being hired by CHS in June to investigate the intrusion, Mandiant helped CHS implement measures to "increase its ability to inhibit, detect, respond, and contain future advanced attacks." said Charles Carmakal, managing director of Mandiant, via email.

Mandiant notified federal law enforcement officials of the break-in, CHS said. In the past, the suspected hackers have pursued intellectual property, including medical device and equipment development information, although in this breach they stole patient data.

In addition to removing the malware and implementing additional "remediation efforts," CHS is offering identity theft protection services to those potentially affected by the breach. The organization's cyber/privacy/liability insurance protects Community Health Systems from certain losses related to breaches, it said.

"I think the most important takeaway for healthcare CIOs/CEOs is that healthcare has to make similar investments in information security as the banking and financial industry has recently done," CISSP and information security consultant to the Los Angeles County Department of Public Health Sascha Schleumer told InformationWeek. "From the perspective of malicious hackers, why bother going after difficult targets when there are so many in the healthcare sector that have fewer protections. It's the same reason HR departments and tax preparers are being targeted -- less effort and more reward for the criminals."

Healthcare security in general is less secure than retail, BitSight Technology determined earlier this year. As InformationWeek reported in May, healthcare took the longest time to respond to a breach -- taking more than five days to remediate illicit access -- compared with retailers' average four-day response.

The breach notification comes only weeks after Community Health Systems entered a settlement agreement with the US Department of Justice after an investigation into short-stay hospital admissions through emergency departments at some of its affiliated hospitals. The government concluded that 119 hospitals billed various payers for inpatient treatments that should have been billed as outpatient or observation cases. Under the agreement, Community Health Systems and affiliated hospitals agreed to pay more than $88 million but admitted no wrongdoing. It also entered into a five-year corporate integrity agreement (CIA) that's been incorporated into the organization's existing compliance program.

You can hear more about this article on this week’s episode of InformationWeek Radio. We’ll be talking with the author at 2:00 PM EDT on Tuesday, August 26 — we hope you’ll join us! Register here.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

This doesn't really surprise, as pointed out in the article Patient Data is kept far less secure that retail/banking data and that stuff seems to get breached weekly. The thought of what a Chinese hacking group wants with a bunch of patient data scares the @$#% out of me though...

It puzzled me that these hackers reportedly didn't steal either credit data or PHI, but took only other personal info (like SSNs, addresses, and ages). Of course, this information is useful and valuable to cyberthieves but it makes me wonder whether they just happened across CHS, vs. it being a primary target. I'd also love to know more about how the malware was installed, although i suspect (and this is only a guess) it may have entered via social engineering.

I wonder whether the insurance companies that offer cybersecurity coverage can play a bigger role in encouraging healthcare organizations to invest more heavily and appropriately in security? I'm not saying that's the case at CHS, but some organizations spend very few dollars or other resources on securing data, networks, physical devices -- despite all the dire warnings coming from multiple sectors, including those without any monetary gain (but lots to lose). Just as your insurance decreases when you install a home alarm system or take a driver's ed class, you'd think rates for cybersecurity insurance could be cut substantially when organizations take multiple proactive steps to reduce risk. Anyone have more insight into this aspect?

Not promising news. Unfortunatley, there is a lot of low-hanging fruit for cybertheives to target. There's a financial incentive for this – because this type of information is value on certain markets.

Hopefully healthcare providers can find solutions to make these types of intrusions harder to perform.

Even in large complex organizations, the threat of data breaches is determined by the weakest link, which may be a small organization that is a business partner. With healthcare organizations increasingly adopting electronic medical record systems and automating transaction processes, we may see more frequent and disruptive breaches in this sector, at a time when healthcare organizations are trying to get patients, physicians and partners to adopt electronic records and processes.

So healthcare CEOs have to recognize that effective information security management is crucial, not just internally but also in processes involving external stakeholders and open networks.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.

Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."